* Andres Freund (andres@2ndquadrant.com) wrote:
> On 2014-08-10 19:48:29 +0800, Craig Ringer wrote:
> > I just had an idea I wanted to run by you all before turning it into a
> > patch.
> >
> > People seem to get confused when they get auth errors because they
> > changed pg_hba.conf but didn't reload.
> >
> > Should we emit a HINT alongside the main auth error in that case?
> >
> > Given the amount of confusion that I see around pg_hba.conf from new
> > users, I figure anything that makes it less confusing might be a good
> > thing if there aren't other consequences.
>
> I think we could/would only emit that to the server log because of
> security concerns. It very well might be interesting for an attacker to
> know that an outdated hba.conf is still being used... Would that still
> provide enough benefits?
I'd think that'd be useful even if it's only in the main log.
To Craig's point on addressing user confusion (when the user is really
an admin trying to work through changes), a HINT along the lines of
"this incident has been logged with details to the PostgreSQL log file"
or something might help. It amazes me how often just telling people to
go *look at the server log file* helps...
Thanks,
Stephen